Description
A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow an unauthorized actor to execute privileged operations, including user/role management and other administrative actions.
Published: 2026-06-16
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from missing authorization checks within several API endpoints of Rockwell Automation FactoryTalk Analytics PavilionX. An unauthorized actor who gains network access to the vulnerable APIs can trigger privileged operations such as creating, modifying, or deleting user accounts, roles, and other administrative settings. This lack of proper authorization enforcement—identified as Missing Authorization (CWE‑862)—can enable a single compromised session to fully control the system’s security configuration, leading to extensive compromise of confidentiality, integrity, and availability of the overall environment.

Affected Systems

Rockwell Automation FactoryTalk Analytics PavilionX is the product affected. No specific version information is listed in the advisory, so all installations of this product are potentially vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 8.3 places this issue in the high severity category, and the EPSS score of less than 1% suggests that, at the time of this analysis, the likelihood of public exploitation is low. However, because the vulnerability is not included in the CISA KEV catalogue, there is no evidence of active exploitation, the risk is primarily theoretical but with significant potential impact. The attack vector is inferred to be the exposed API endpoints that require authentication; if an attacker can reach these endpoints from within the trusted network or via an exploited authenticated session, they can trigger the privileged operations.

Generated by OpenCVE AI on June 17, 2026 at 22:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-provided patch or update to the fixed firmware version for FactoryTalk Analytics PavilionX.
  • Restrict external network access to the PavilionX API by placing it behind a firewall or review and enforce least‑privilege role assignments, removing unnecessary administrative rights from all user accounts.
  • Enable comprehensive audit logging for all API calls and monitor logs for signs of unauthorized activity.

Generated by OpenCVE AI on June 17, 2026 at 22:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Rockwellautomation
Rockwellautomation factorytalk Analytics Pavilionx
Vendors & Products Rockwellautomation
Rockwellautomation factorytalk Analytics Pavilionx

Tue, 16 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow an unauthorized actor to execute privileged operations, including user/role management and other administrative actions.
Title Rockwell Automation FactoryTalk Analytics PavilionX
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

Rockwellautomation Factorytalk Analytics Pavilionx
cve-icon MITRE

Status: PUBLISHED

Assigner: Rockwell

Published:

Updated: 2026-06-16T15:25:24.960Z

Reserved: 2025-12-08T15:21:27.379Z

Link: CVE-2025-14272

cve-icon Vulnrichment

Updated: 2026-06-16T15:25:22.388Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T15:16:33.000

Modified: 2026-06-16T15:26:04.250

Link: CVE-2025-14272

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:45:23Z

Weaknesses